Preventing Cross-Site Request Forgery (CSRF) Attackshttp://www.asp.netMon, 20 May 2013 15:30:57 GMTumbracoComments for Preventing Cross-Site Request Forgery (CSRF) AttacksenComment Posted by mambyhttp://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacksFri, 08 Mar 2013 03:57:53 GMT00000000-0000-0000-0000000018619Hi Mike,

where do we call the "ValidateRequestHeader"?

]]>Comment Posted by duanehaworthhttp://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacksThu, 09 May 2013 14:50:30 GMT00000000-0000-0000-0000000019085And where does the "AntiForgery.GetTokens" method from the line:

AntiForgery.GetTokens(null, out cookieToken, out formToken);

come from?

]]>Comment Posted by matt.ghttp://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacksWed, 15 May 2013 10:13:32 GMT00000000-0000-0000-0000000019109This seems to be all about MVC. What about Web Forms, as this page www.asp.net/ said to go here?

]]>Comment Posted by cornanhttp://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacksMon, 20 May 2013 15:30:57 GMT00000000-0000-0000-0000000019145I'm not 100% sure I follow how this works. It would make the post clearer for me if the numbered bullets under "Anti-Forgery Tokens" spelled out the "untrustworthy site" scenario. Other paragraphs touch on the "same-origin policies", but they are not included in that set of numbered bullets, so I'm not sure at which point the hidden form field cannot be seen and by "whom".

Otherwise interesting and clear...

]]>